Ransomware Attacks Hit Closer To Home
July 12, 2021 Alex Woodie
Fifteen hundred organizations around the world had their data locked up in the latest ransomware attack, including grocery store chains and schools. It’s unclear if any IBM i shops were included in the attack, which a Russian hacking group claimed credit for. But it’s clear that ransomware is a growing threat to all organizations, including IBM i shops.
On July 2, as hundreds of millions of Americans hunkered down for the long Independence Day holiday weekend, hackers using the REvil were just getting started. The Russian-affiliated hacking group had already done the hard work of exploiting a five-year-old security flaw in the Kaseya Virtual System Administrator (VSA) software. Now it was time to activate the ransomware that it had surreptitiously installed via that Kaseya VSA flaw on the computer systems of 1,500 organizations around the world.
The result was calamity. Hundreds of stores in a grocery store chain in Sweden had to close because of the hack, and at least nine schools in New Zealand were affected, according to reports. The local government for a small town in Maryland was forced to take its computer systems down. The hackers targeted companies that provide computer services to downstream companies, which in turn led to ransomware being installed on the systems of dentist offices, restaurants, and small accounting firms.
A vulnerability in Kaseya’s remote administration software was the source of the July 2, 2021 ransomware attack that impacted 1,500 organizations.
REvil immediately took credit for the attack, and announced that in exchange for a small donation of $70 million in bitcoin, they would kindly provide a master decryption key. It was the second major attack for the Russian-backed group in less than a month, as REvil also took credit for the ransomware attack on JBS, the large Brazil-based meat company that also has locations in the United States. JBS says it was able to recover its systems, but it paid an $11 million ransom just to be sure it lost no data. Colonial Pipeline reportedly paid $4.4 million to the Russian hacking group called DarkSide to unlock its data after it was hit with a ransomware attack in May.
Considering the widespread use of the IBM i server in the impacted industries, and the server’s well-documented susceptibility to ransomware, it’s entirely possible that some of this ransomware found its way onto IBM i servers. However, the victims of any type of cybercrime are not typically in the mood to talk specifics.
In any event, IT Jungle uncovered no evidence that IBM i shops were impacted by the July 2 attack. But the attacks have certainly grabbed the attention of business leaders, and political leaders too.
“Our customers are very aware of the ransomware rise,” says Kurt Thomas, a senior systems engineer with HelpSystems, which sells security software for IBM i and other platforms. “Ransomware has simply become a top IT security concern. The Kaseya hack and before it the Sunburst/Solarwinds hack once again proved how vulnerable systems are.”
The IBM i server does enjoy some extra security due to its relative obscurity. Windows and Linux servers vastly outnumber IBM i servers, which make them better targets for profit-seeking cybercriminals. The IBM i server has a different security model than industry-standard X86 servers, which gives it additional cover. While it’s possible to compromise an IBM i server (the only totally secure server, remember, is one encased in six feet of concrete and buried under ground), the hacker would need special skills.
However, when it comes to malware infections, the IBM i’s servers Windows-like Integrated File System (IFS) means that that IBM i servers are just as susceptible to infection as any Windows server. This is something that IBM i security experts have been warning about for many years.
“While ransomware has not been singling out the IBM i, the i gets hit by way of collateral damage,” Thomas tells IT Jungle via email. “Ransomware, running on Windows/Linux/Unix systems, will indiscriminately encrypt all files it can get to. That includes files on IBM i that are shared over an internal network–think drive J, pointing to an IFS directory. The ransomware will encrypt and potentially also exfiltrate those files as easily as if they were on a Windows system.”
Since IBM i systems provide business-critical data and functionality, “that means the potential for damage is huge,” Thomas continues. “And that’s not even including the indirect risks—image loss for the affected company, costs of downtime, of system cleanup, of fines for failing to protect personal information, etc.”
The good news is that some IBM i shops are getting the message, and seeking help from vendors, who can often provide solutions to automate the sometimes-difficult task of correctly configuring the IBM i security settings.
“I have spoken with customers in the last month who have had their networks hit by ransomware,” HelpSystems security consultant Sandi Moore tells IT Jungle. “I can’t give specifics, but we have worked with many of them to implement Powertech solutions to remediate inappropriate shares and user authorities. Using a layered approach is always best practice.”
While the “zero-trust” security architectures is gaining traction, including vendors like Illumio and Guardicore that are bringing it to IBM i server, having multiple layers of security in place remains the best practices for security on the midrange server. That’s the approach espoused by Carol Woodbury, the former IBM security architect for OS/400 and now a security consultant at DXR Security.
“I’m big into multiple layers of defense,” Woodbury said during a recent webinar hosted by Precisely. “If one thing doesn’t catch the intrusions, the next thing will.”
IBM i shops should do more to protect themselves from malware, including ransomware, Woodbury said during the webinar, which was titled “Configuration Tips to Reduce the Risk of IBM i Malware Infection.”
“If someone were to ask me what is the biggest risk on IBM i today, it’s malware infection, in my opinion,” Woodbury says.
RELATED STORIES
Ransomware Epidemic Hits Epic Proportions, And IBM i Shops Take Notice
Locking Down Exit Point And IFS Vulnerabilities On IBM i
Christmas for Ransomware: How COVID-19 Is Fueling Cybercrime
Typical usage of IFS files are in exchanging information. Read and write capability, not update in place in IFS. Remove permissions to update and delete from network and you have removed remote encrypting capability from a PeeCee (workstation or server) on the network.
An encrypted file could be written to the IFS, but it was corrupted before getting to the IFS. As always, the problem needs to be stopped in Windows. But there is no reason to allow Windows to access and update or replace IFS files to encrypt them when basic functionality is read and write files to exchange information via IFS.